Using HTTPS on Cisco devices

Network administrators need sometimes to a user-friendly way other than the CLI, in order to easily configure, monitor, and manage their networking devices. That need becomes more important especially when monitoring the network, or when configuring some complex aspects such as VPNs.

GUl

This is why it is highly recommended for them to enable graphical-user interface (GUI) using reliable & secure protocols such as HTTPS.

As a brief definition, Hypertext Transfer Protocol Secure (HTTPS) is a result of layering the standard HTTP on top of the SSL/TLS protocol, from where it gets the encryption capabilities. The main benefit of using HTTPS is to prevent spying secret & confidential information.

Configuration Guidelines

1. Configure hostname (which sould be different from the default one) & domain name

Router#config t
Router(config)# hostname R1
R1(config)# ip domain-name icttowers.com
R1(config)#

2. Create a local superuser (with all privileges)

R1(config)#
R1(config)# username webadmin privilege 15 secret WebP@ssw0r6!
R1(config)#

3. Enable HTTPS, disable HTTP & redirect authentication towards the local database

R1(config)#
R1(config)# ip http secure-server

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)# no ip http server
R1(config)# ip http authentication local
R1(config)#

It is important to highlight here that when enabling HTTPS, by default 1024 RSA keys will be generated automatically.

4. Change the default port number

R1(config)#
R1(config)# ip http secure-port 40403
R1(config)#

5. Configure HTTPS timeout policies

R1(config)#
R1(config)# ip http timeout-policy idle 60 life 1200 requests 5000
R1(config)#

It is important to highlight here the following points:

    • The idle time-out of a connection is set to 60 seconds
    • The connection life-time is set to 1200 seconds (20 minutes)
    • The maximum number of requests allowed is set to 5000

6. Use ACL as additional filter

R1(config)#
R1(config)# access-list 1 permit host 172.16.10.1
R1(config)# access-list 1 permit 172.16.20.0 0.0.0.255
R1(config)# ip http access-class 1
R1(config)#

It is important to highlight here the following points:

    • Users that are not permitted in the ACL will be rejected directly (i.e. they will not be prompted to authenticate themselves).
    • The ACL acts as the first barrier and the authentication as the second one.

7. Basic verification

Test from a neighboring device:
R2#
R2# ping 172.16.1.1
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2# telnet 172.16.1.1 443
Trying 172.16.1.1, 443 ...
% Connection refused by remote host

R2# telnet 172.16.1.1 40403
Trying 172.16.1.1, 40403 ... Open

R2#

Sorry Comments are Disabled